A few interesting, positive developments in cloud security have come in the first quarter of 2010. It seems as if the sky is clearing just a little on the journey to the cloud and in terms of long and short term security priorities, driven by users. It’s going to be a journey of course for some time, but we shouldn’t forget the old Bill Gates (old Bill Gates?) adage of overestimating what can be done in 2 years, and underestimating what can be done in 10. The journey to the cloud right now is about virtualizing and sharing IT resources inside datacenters, both those owned by the user and those operating by third-parties. The first wave of software virtualization is also happening now, as vendors have figured out how to centralize applications and virtualize their use as a service. At this stage in the journey, the business value, costs, and risks taken look to be paying off as businesses continue to look for opportunities to radically shrink ITs girth, resulting of application and infrastructure sprawl that followed that other journey – to the mainframe, and to innovate and deliver IT services with adjustable levels of performance, availability and security. From a distance, looks like mainframes again, doesn’t it?
So back to security. First, there’s no debate that a lot must be done in cloud security, but I think this quarter as produced more of what I would call new solutions and not new problems. Second, I think we already know what has to be done, the challenges/problems, but we need to spend more time and focus on the solutions, across products and platforms. No one that I’ve spoken with has taken their foot off the accelerator in their move to cloud computing, but of course the worst case scenario is that the CEO or service provider “promises it all”, and experiences a calamitous security breach/availability meltdown. In one felled swoop we potentially loose the 18 month head start that the “Google effect”, as my Wikibon colleagues like to refer, and the economic opportunity has created.
Ok, back to security again
Here are my three sunrays in cloud security in 1Q2010. Two are more about collaboration and the need to build out the cloud for public and private service that’s more secure than what we have now, and the third is purely about technology, the key enabler. I’m not mentioning progress on things like firewalling VMs and closing down VM escape channels – all important, and on parallel tracks.
First the technology:
- Information dispersal algorithms (IDA) in client, network, and storage platforms – Cleversafe, a new US firm, and vintage Unisys are being more vocal about the security benefits of IDA, particularly for cloud storage, big archives, and environments with the most strict security profiles. In addition to the security value, the business value is centered around less complexity and cost when compared with traditional backup, encryption, and perimeter based security systems.
Then on collaboration
- Audit – fewer things can drive security people faster to the mark than auditors. In a lot of cases, audit and compliance requirements drive security investment. The vendor and provider collaboration on cloud audit and SCAP look to produce standard APIs and services that allow auditors to peek in to the security of the cloud, and in the process render judgment on how under control the security is or isn’t. Keep your fingers crossed on this.
- Also on collaboration, the cross-vendor security architectures of Netapp, Cisco, and VMware, and the trusted execution proof of concepts by Intel, EMC/RSA, and others are proof points that buy-in to the cloud depends on security integration across products and platforms.
It’s generally been a sunny 1Q2010 for cloud security – technology advances, more collaboration, some new standards – all a testament to the reality that cloud is as profound a shift in computing as was the web 15 years ago.